ClawHub

自我成

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed self-improvement memory skill, but it can persist session details and influence future agent behavior without enough privacy or review controls.

Install only if you intentionally want a memory-style skill that writes durable learning logs and may influence future agent context. Before enabling hooks or promotion, keep hooks project-scoped, avoid global always-on settings, require human review for writes to AGENTS.md/SOUL.md/TOOLS.md/CLAUDE.md, and redact secrets, personal data, customer details, raw prompts, and full command output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document states that the scripts 'only output text' and 'don't modify files or run commands', but the configured hooks are explicitly executed as shell commands. This mismatch can mislead users into granting trust or enabling hooks without appropriately evaluating the risks of arbitrary script execution in their local environment.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The integration guide expands a narrowly described self-improvement skill into persistent workspace prompt injection, behavioral shaping, and cross-session coordination. That broadening increases the skill's authority and persistence beyond its stated purpose, creating a larger attack surface for prompt injection, unintended policy drift, and data propagation across contexts.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Documenting the ability to inspect other sessions and send messages across sessions is not necessary for simple self-improvement logging and enables lateral movement of prompts, context, or sensitive data between conversations. In a workspace-prompted environment, this can spread poisoned instructions or leak information from one session into another without clear user intent.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are so broad that ordinary user conversation can cause the skill to activate and persist information unexpectedly. In a skill focused on logging and memory promotion, overbroad activation increases the chance of capturing benign but sensitive user content without clear user intent.

Vague Triggers

High
Confidence
93% confidence
Finding
Using an empty matcher causes the hook to run on every prompt or matching tool event, creating effectively global activation. Because this skill encourages persistent logging and promotion into other memory files, unconditional triggering materially increases privacy risk and the chance of unintended data retention.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs agents to persist corrections, requests, and related context but provides no warning about sensitive data or privacy boundaries. That omission is dangerous because users may reveal secrets, personal data, or proprietary details during corrections and troubleshooting, which would then be stored long-term.

Vague Triggers

Medium
Confidence
91% confidence
Finding
An empty matcher causes the hook to trigger for every prompt, creating an always-on execution path for the referenced script. Broad triggering increases exposure to prompt-driven abuse, accidental activation, and unnecessary execution of local commands in contexts where the hook is not needed.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The user-level configuration installs an empty-matcher hook globally, so the script runs across all sessions and repositories. This expands the trust boundary beyond a single project and can propagate risky behavior into unrelated workspaces, magnifying the impact of any script bug, compromise, or misuse.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Although labeled 'minimal', this setup still uses an empty matcher and therefore executes on every prompt. Reducing the number of hooks does not address the core issue of overbroad trigger scope and continual command execution.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The Codex configuration repeats the same empty-matcher pattern, broadening activation to any prompt in that environment as well. Reproducing insecure defaults across multiple agent platforms increases the chance that users will deploy overbroad command hooks without understanding the security tradeoffs.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger conditions are broad and subjective, such as model behavior surprise, knowledge gaps, and tool call errors, which can cause excessive or unintended activation. In a persistent learning system, ambiguous triggers can lead to over-collection, persistence of untrusted content, and accidental promotion of transient mistakes into long-lived behavioral instructions.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly normalizes storing user corrections, requests, and task details in persistent logs and cross-session memory without minimization controls. This creates a realistic pathway for sensitive prompts, proprietary instructions, and private context to be retained and resurfaced beyond the original interaction.

Ssd 3

Medium
Confidence
97% confidence
Finding
The error template directs the agent to persist full error messages, command inputs, and parameters, which often contain secrets, file paths, tokens, customer data, or internal infrastructure details. Plain-text logging of raw execution context is a common source of credential leakage and accidental disclosure.

Ssd 3

Medium
Confidence
92% confidence
Finding
Inter-session transcript reading and sending learnings between sessions expands the blast radius of any sensitive information captured by the skill. Once data can move across sessions, confidentiality boundaries weaken and unrelated tasks or agents may gain access to context they should not see.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal